Ask Your Question
0

Could tshark capture the de-encrypted packet when receiving ESP?

asked 2024-04-09 00:23:53 +0000

mzhan017 gravatar image

We encounter one problem: When using tshark to capture the packets on one interface(virtio_net). The tshark could capture one ESP packet, and also one packet without ESP header, that has been de-encrypted by kernel to plain packet.

How the tshark captured the second de-encrypted packet?

Thanks, Mark

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-04-09 01:22:46 +0000

mzhan017 gravatar image

updated 2024-04-09 07:23:12 +0000

grahamb gravatar image

Seems expected for tunnel mode, from code of kernel. xfrm_input

....
    if (x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) {
        decaps = 1;
        break;
    }
....
    if (decaps) {
        if (skb->sp)
            skb->sp->olen = 0;
        skb_dst_drop(skb);
        gro_cells_receive(&gro_cells, skb);
        return 0;
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-04-09 00:23:53 +0000

Seen: 112 times

Last updated: Apr 09

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark